Page MenuHomePhabricator

add jclark to datacenter-ops group
Closed, ResolvedPublicRequest

Description

This request will track the application, approvals, and implementation for @Jclark-ctr's shell account.

Groups requested: datacenter-ops. This is a more limited group and only has sudo rights for those actions deemed needed for the datacenter operations on-site work. (Not everyone gets root automatically, and all but advanced in os troubleshooting can be done with datacenter-ops group. Both Papaul and Willy are also members of this group.

Full Name: John Clark
Purpose for access: @Jclark-ctr is our part time contractor for on-site work in ops-eqiad, assisting @Cmjohnson with the eqiad on-site work. He will need this access to connect to systems, rebuild raid arrays, and troubleshoot/repair hardware issues.
Wikitech user: jclark
Wikitech UID: 21780
email: Jclark-ctr@wikimedia.org

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on https://wikitech.wikimedia.org/wiki/Requesting_shell_access

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff) - This requires @wiki_willy sign off as @Jclark-ctr's manager
  • - 3 business day wait must pass with no objections being noted on the task
  • - sudo group additions are approved by the manager/team that handles that service group. - this request requires approval by @wiki_willy as the DC Ops manager and manager of the dc-ops service group.
  • - Patchset for access request - please note @Jclark-ctr is in the ldap section of the admins module, please move up to shell section for this patchset - https://gerrit.wikimedia.org/r/525847

Event Timeline

RobH created this task.Jul 26 2019, 3:18 PM
Restricted Application added a project: Operations. · View Herald TranscriptJul 26 2019, 3:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
RobH assigned this task to Jclark-ctr.EditedJul 26 2019, 3:22 PM
RobH triaged this task as Normal priority.
RobH updated the task description. (Show Details)
RobH moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.

@Jclark-ctr:

We will need you to do the following to get shell access:

  • User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)

Please assign this to @wiki_willy for him to attach the approvals for the following:

  • approval to access systems as your manager
  • approval to access dc-ops group as the dc-ops group manager

Once all the above is done, feel free to assign back to me for implementation.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+1duGbT11VE4IV3KKFzdmHhSl2fAA0CkL93edalw2yqroMxzHjah7GwKB5csjrrbqhn+po0478jsU8OG8hgJBRKSq2cG04ryQk8MVSIy6gnqQ75/5gC4U6wJ50y8MKeMyZCHzMsjs+4xdh9WvJH4cfliPRWYp1JBJpE6E22KE+HK07HYX0TkvyfMf2cLaA0pz1Ovbll8gWb9L9vyKDRmv8+NkaJcLTuKoqSFpxz/UCjVGyBJckDyJbX9FEUyjjMclg+c6C8s2aNgfe3gMKmkKxSEfEqbXuNWfJEVAqJ667MhtsGV92pp6rSWdtAgm6IqGE19hUNFqAy3XiX8vEQY3 jclark@LoanerWMF1953

Approved for the following:

wiki_willy reassigned this task from wiki_willy to RobH.Jul 26 2019, 4:18 PM

Approved for the following:

approval to access systems as your manager
approval to access dc-ops group as the dc-ops group manager

Change 525847 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding jclark to shell and dc ops group

https://gerrit.wikimedia.org/r/525847

RobH updated the task description. (Show Details)Jul 26 2019, 5:06 PM
RobH moved this task from Awaiting User Input to 3 Business Day Wait on the SRE-Access-Requests board.

Please note that the patchset is prepared and this is now in the 3 day waiting period. If no objections are noted, this can be merged on Wednesday, 2019-07-31.

RobH removed RobH as the assignee of this task.Jul 26 2019, 5:07 PM
herron added a subscriber: herron.Jul 29 2019, 3:43 PM

Hey @RobH, Cross-validate accounts started sending notifications for:

Membership of ops group in LDAP and YAML are not identical: ['jclark']

I see there are patches still in flight, but wanted to double check if this known/expected.

Hey @RobH, Cross-validate accounts started sending notifications for:

Membership of ops group in LDAP and YAML are not identical: ['jclark']

I see there are patches still in flight, but wanted to double check if this known/expected.

My understanding is this alert will be resolved with the patchset, @MoritzMuehlenhoff warned me about this as well. Thanks!

Change 525847 merged by RobH:
[operations/puppet@production] adding jclark to shell and dc ops group

https://gerrit.wikimedia.org/r/525847

RobH added a comment.Aug 5 2019, 5:41 PM

This was reviewed in the weekly SRE meeting. After discussion, it was decided that the dc operations user group will be managed by @wiki_willy as the DC Operations Manager.

Change 528206 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] updating notation for dc operations group

https://gerrit.wikimedia.org/r/528206

Change 528206 merged by RobH:
[operations/puppet@production] updating notation for dc operations group

https://gerrit.wikimedia.org/r/528206

RobH closed this task as Resolved.Aug 5 2019, 5:59 PM
RobH claimed this task.
RobH updated the task description. (Show Details)